New Attack Singles out IE Flaw

Microsoft warned last week that it would be easy for cybercriminals to
build new attacks using bugs it patched in the Internet Explorer
browser; now that prediction has come true.

On Tuesday, security vendor Trend Micro said that it had spotted the
first attack taking advantage of one of two flaws patched a week ago.
Microsoft has said that either of these vulnerabilities would be easy to
exploit in online attacks.

Over the weekend, Trend Micro researchers spotted what appears to be a
small-scale, targeted attack that exploits the flaw to install spy
software, said Paul Ferguson, a researcher with the antivirus vendor.
"It installs a back door that uploads stolen information on port 443 to
another site in China," he said.

Microsoft was unable to immediately comment on Trend Micro's report on
Tuesday.

Although Ferguson does not know who wrote the attack code, he said that
it looks similar to software that was sent to pro-Tibetan groups about a
year ago, apparently for the purpose of intelligence gathering.

Both last year's attack and this latest malware are triggered when the
user opens a malicious Word document. That document contains an ActiveX
object that connects IE to a malicious Web site, which launches the
attack and then installs the spy software.

The criminals don't need to use Word to exploit this flaw -- the attack
would work if the victim were simply tricked into visiting a malicious
Web site -- but this technique is consistent with past Tibet-focused
attacks, Ferguson said.

Whether this will lead to more widespread Internet Explorer attacks is
unclear, Ferguson said.

Verisign's iDefense group thinks that more attacks are likely. "Although
this attack is limited in scope and will likely only be targeted to very
few organizations, the availability of reliable exploit code will soon
be discovered by others and these attacks will likely be widespread
within a week's time," the company said in an alert sent out to
customers Tuesday.

"Right now, we don't see any real proof of an ongoing campaign here,"
Ferguson said. "But ... it's very simple to mitigate this threat
completely. You don't have to worry about antivirus protection: Just
patch your machines."